Lucene search
K

5 matches found

RedhatCVE
RedhatCVE
added 2026/06/16 11:29 a.m.6 views

CVE-2026-41731

A flaw was found in the spring-kafka component. A remote attacker, by supplying crafted header values, could exploit a vulnerability in JsonKafkaHeaderMapper and DefaultKafkaHeaderMapper that incorrectly matched type headers against trusted packages. This issue, combined with Jackson's default be...

8.1CVSS5.7AI score0.00489EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/10 12:31 a.m.8 views

In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted...

8.1CVSS5.4AI score0.00489EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/06/09 11:49 p.m.30 views

CVE-2026-41732 In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default...

8.1CVSS0.00347EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/09 11:49 p.m.9 views

CVE-2026-41732 In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default...

8.1CVSS5.4AI score0.00347EPSS
Exploits0References1
CVE
CVE
added 2026/06/09 11:49 p.m.34 views

CVE-2026-41732

CVE-2026-41732 affects Spring for Apache Pulsar due to JsonPulsarHeaderMapper using a prefix-based check on trusted packages, causing trust to cascade to subpackages. An empty trusted-packages config can default to trusting all packages. This exposes potential deserialization risk by allowing acc...

8.1CVSS5.5AI score0.00347EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder